CVE-2026-34613: AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins
The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page.
Plugin UUIDs are not secret values. They are hardcoded in the frontend JavaScript source and are consistent across installations, making it trivial for an attacker to target specific plugins.
References
- github.com/WWBN/AVideo
- github.com/WWBN/AVideo/commit/7ddfe4ec270d720e11f5dc28db73dfcd2cf9192a
- github.com/WWBN/AVideo/commit/da375103d59118d1c1b1801ac7fce3cd426f8736
- github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44
- github.com/advisories/GHSA-hqxf-mhfw-rc44
- nvd.nist.gov/vuln/detail/CVE-2026-34613
Code Behaviors & Features
Detect and mitigate CVE-2026-34613 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →